Professional Web Applications Themes

stop SID from showing - PHP Development

Having considered all security risks involved, I have decided that my website needs to run without cookies and therefore turned on the trans_sid. But now I am trying to stop the SID from being automatically appended to my URLs unless it is needed, but have been so far unsuccessful: I have got a session variable that I want to follow around my website but only if a user has logged in. So let's assume I had a session variable called "userID". If userID exists, it means that the user has previously logged in and yes, I do want the SID ...

  1. #1

    Default stop SID from showing

    Having considered all security risks involved, I have decided that my
    website needs to run without cookies and therefore turned on the trans_sid.

    But now I am trying to stop the SID from being automatically appended to my
    URLs unless it is needed, but have been so far unsuccessful:

    I have got a session variable that I want to follow around my website but
    only if a user has logged in. So let's assume I had a session variable
    called "userID". If userID exists, it means that the user has previously
    logged in and yes, I do want the SID to be appended to my URL string.

    But if the user has not logged in (userID does not exist as a session
    variable) I don't want the SID to be appended.

    The files that the user accesses are in both cases the same, so I always
    have to start the session at the beginning of the file to check whether the
    user is logged in or not and then display the appropriate information.

    Has anybody got an idea if this can be done, and how?

    Thanks heaps!


    Fredo Vincentis Guest

  2. #2

    Default Re: stop SID from showing

    *** Fredo Vincentis wrote/escribió (Thu, 1 Jul 2004 21:16:25 +1000):
    > I have got a session variable that I want to follow around my website but
    > only if a user has logged in. So let's assume I had a session variable
    > called "userID". If userID exists, it means that the user has previously
    > logged in and yes, I do want the SID to be appended to my URL string.
    >
    > But if the user has not logged in (userID does not exist as a session
    > variable) I don't want the SID to be appended.
    I guess you'll have to use a custom function to create all links in your
    app. For instance, osCommerce has this:



    ////
    // The HTML href link wrapper function
    function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true) {
    if (!tep_not_null($page)) {
    die('</td></tr></table></td></tr></table><br><br><font color="#ff0000"><b>Error!</b></font><br><br><b>Unable to determine the page link!<br><br>');
    }

    if ($connection == 'NONSSL') {
    $link = HTTP_SERVER . DIR_WS_CATALOG;
    } elseif ($connection == 'SSL') {
    if (ENABLE_SSL == true) {
    $link = HTTPS_SERVER . DIR_WS_CATALOG;
    } else {
    $link = HTTP_SERVER . DIR_WS_CATALOG;
    }
    } else {
    die('</td></tr></table></td></tr></table><br><br><font color="#ff0000"><b>Error!</b></font><br><br><b>Unable to determine connection method on a link!<br><br>Known methods: NONSSL SSL</b><br><br>');
    }

    if (tep_not_null($parameters)) {
    $link .= $page . '?' . $parameters;
    $separator = '&';
    } else {
    $link .= $page;
    $separator = '?';
    }

    while ( (substr($link, -1) == '&') || (substr($link, -1) == '?') ) $link = substr($link, 0, -1);

    // Add the session ID when moving from HTTP and HTTPS servers or when SID is defined
    if ( (ENABLE_SSL == true ) && ($connection == 'SSL') && ($add_session_id == true) ) {
    $sid = tep_session_name() . '=' . tep_session_id();
    } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) {
    $sid = SID;
    }

    if ( (SEARCH_ENGINE_FRIENDLY_URLS == 'true') && ($search_engine_safe == true) ) {
    while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);

    $link = str_replace('?', '/', $link);
    $link = str_replace('&', '/', $link);
    $link = str_replace('=', '/', $link);

    $separator = '?';
    }

    if (isset($sid)) {
    $link .= $separator . $sid;
    }

    return $link;
    }




    Of course, yours needn't be so complicated.


    --
    --
    -- Álvaro G. Vicario - Burgos, Spain
    --
    Alvaro G Vicario Guest

  3. #3

    Default Re: stop SID from showing

    Ok, I'm confused, you think that if a user is not logged in it's a
    security risk for them to be passing the SID in the links? Last I
    checked, the security risk is passing the SID around, regardless if
    they are logged in or not, because if they (for example) leave your
    website while logged in (for example on a page that shows their
    profile; change password, etc) and go to some other website, then in
    the some other website's referral log it will have the entire url to
    the user's profile, with the SID, allowing some malicious webmaster to
    go into the user's profile and change their information (including
    their password). You get what I'm saying? For example, in osCommerce,
    if I (for whatever reason) disable cookies, and it passes the session
    id in the Earl, and I'm logged in but I want to show a buddy this
    nifty <whatever> I'm looking at, and I send him that link from my
    Address Bar, he will technically be logged in as me. Now, say as a
    joke this buddy decides to change my name to <insert explicitive>, or
    my password so I can't log in. The whole point is
    session.use_trans_sid is bad, bad, bad; period.

    If you're concerned about the security of your users, disable
    session.use_trans_sid and stick with using the session_id as a cookie
    (ie. $_COOKIE[session_name()]). If you really desire passing the SiD
    around for logged in users only, then you need to combine PHP and
    Javascript to do the trick:

    <script language="Javascript">
    var sid = <?php echo session_id(); ?>;

    for ( i = 0; i < doent.links.length; i++ ) {
    with ( doent.links[i] ) {
    if ( href.indexOf('sid') == -1 ) {
    href += '?sid=' + sid;
    }
    }
    }
    </script>

    On Thu, 1 Jul 2004 21:16:25 +1000, "Fredo Vincentis"
    <yahoda21hotmailNoSpam.com> wrote:
    >Having considered all security risks involved, I have decided that my
    >website needs to run without cookies and therefore turned on the trans_sid.
    >
    >But now I am trying to stop the SID from being automatically appended to my
    >URLs unless it is needed, but have been so far unsuccessful:
    >
    >I have got a session variable that I want to follow around my website but
    >only if a user has logged in. So let's assume I had a session variable
    >called "userID". If userID exists, it means that the user has previously
    >logged in and yes, I do want the SID to be appended to my URL string.
    >
    >But if the user has not logged in (userID does not exist as a session
    >variable) I don't want the SID to be appended.
    >
    >The files that the user accesses are in both cases the same, so I always
    >have to start the session at the beginning of the file to check whether the
    >user is logged in or not and then display the appropriate information.
    >
    >Has anybody got an idea if this can be done, and how?
    >
    >Thanks heaps!
    >
    eclipsboi Guest

  4. #4

    Default Re: stop SID from showing

    "eclipsboi" <eclipsboihotmail.com> wrote in message
    news:1p5la011i58or8cf50hu2r7ff6p0mvsf3k4ax.com...
    > Ok, I'm confused, you think that if a user is not logged in it's a
    > security risk for them to be passing the SID in the links? Last I
    I do understand the security risks of the passing the SID in the URL. It
    wasn't so much out of security reasons that I want to hide the SID unless
    required, but mainly because it shows up in the Google Results even for
    pages that do not need a session ID (because they can be viewed without
    being logged in).
    > If you really desire passing the SiD
    > around for logged in users only, then you need to combine PHP and
    > Javascript to do the trick:
    Same problem: Google doesn't get Javascript, so I won't be able to get rid
    of my SID in the URL.


    Fredo Vincentis Guest

  5. #5

    Default Re: stop SID from showing

    So I take it every single page uses sessions? You might want to
    reconsider that method, as you've already encountered problems like
    this. Remember, simple is better, and if it isn't absolutely
    mission-critical to pass information from page to page, then don't
    overuse sessions. If Google is pulling up your pages with the SID
    attached to the Earls, then it's safe to say that Google can't do
    cookies. And since indexing your pages with a very old, and stale SID
    would probably not work in your app, then you may want to not use
    sessions on pages that do not need them (like say your front page,
    contact page, or anything else that would be naturally indexed by a
    search engine). Use sessions only when necessary, not all the time.
    The only other alternative, and not very recommended, way would be to
    make your session expire time some ridiculously long time (like, say,
    100 years or something). Then it wouldn't matter if Google indexed the
    Earl with the session ID.

    [url]http://www.php.net/session_expire[/url]

    <?
    // 100 years -- Give or take.
    session_expire( (60*60*24*365*100) );
    ?>
    >Same problem: Google doesn't get Javascript, so I won't be able to get rid
    >of my SID in the URL.
    >
    eclipsboi Guest

  6. #6

    Default Re: stop SID from showing

    Fredo Vincentis wrote:

    <snip>
    > I have got a session variable that I want to follow around my website but
    > only if a user has logged in. So let's assume I had a session variable
    > called "userID". If userID exists, it means that the user has previously
    > logged in and yes, I do want the SID to be appended to my URL string.
    <snip>
    > The files that the user accesses are in both cases the same, so I always
    > have to start the session at the beginning of the file to check whether
    > the user is logged in or not and then display the appropriate information.
    Session ID is required for a session to "start" - so you cannot start and
    not start a session at the same time; unless you do your own session
    management (whether in PHP scripts or as a custom module) for visitors and
    only start the "real" PHP session when the user logs in. Quite frankly, I
    don't see a point in all of this - it does not improve security in any
    significant way.
    Zurab Davitiani Guest

Similar Threads

  1. How do I stop users from showing an optional region?
    By NateWeb in forum Macromedia Contribute General Discussion
    Replies: 1
    Last Post: August 9th, 07:51 PM
  2. STOP=Save The Opticles People! ... Stop Flashs flashing!
    By vpool78 in forum Macromedia Flash Player
    Replies: 1
    Last Post: October 17th, 03:58 PM
  3. Can you stop the "image"-button from showing?
    By LarryM in forum Macromedia Dreamweaver
    Replies: 6
    Last Post: July 25th, 01:06 AM
  4. Stop Debugging doesn't stop in ASP.NET
    By Matt Theule in forum ASP.NET General
    Replies: 7
    Last Post: July 24th, 07:38 PM
  5. How do I get XP to stop showing partial drop down menus
    By JCH in forum Windows XP/2000/ME
    Replies: 2
    Last Post: July 5th, 09:44 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139